You are here

Corero Security

On January 30, 2018 a new mass exploitation tool called “Autosploit” was released on Github, a Git repository hosting service. Autosploit leverages Python code to automatically search for vulnerable devices connected to the Internet and then uses Metasploit’s collection of exploits to take over computers and IoT devices. It automatically trolls the Internet for vulnerable devices which can be leveraged for DDoS attacks. Autosploit is not new code, per se, because it is a combination of the previously existing Shodan and Metasploit modules, which have been used for penetration testing. However, this “marriage” of code makes it easier than ever for hackers to recruit new devices to their own botnet that could be used to mine cryptocurrencies, hack Internet applications or launch distributed denial of service (DDoS) attacks.

Autosploit enables both skilled cybercriminals and amateurs who lack technical expertise (also known as “script kiddies”) to form massive DDoS botnets, thus expanding the pool of potential hackers. As a result, many security experts predict an increase in the number of DDoS attacks and other cyber incidents.

A significant motivation behind DDoS attacks is for financial gain, via extortion and ransom threats. These new, evolving malware-as-a-service tools and techniques, is the signal that the gates are down and companies are faced with being attacked continuously. These forms of malware provide unending opportunities for cybercriminals to hijack vulnerable devices and subsequently launch attacks against online organizations with ease.

It is imperative for organizations to implement a next generation, Internet gateway that includes a best of breed DDoS layer of security to immediately detect and mitigate DDoS attacks. Without this DDoS mitigation layer, companies who are hit with a DDoS attack could face significant loss of revenues and reputation due to outages.

Hackers who launch distributed denial of service (DDoS) attacks have varying motives, such as 1) competitive advantage against a business adversary, 2) vandalism for the sake of creating chaos/misfortune, 3) data theft, 4) political hacktivism or 5) cyber espionage. Earlier this week three Dutch banks and the Dutch Taxation Authority were victimized by DDoS attacks, starting on January 30. One security researcher claimed the attacks registered 40 Gbps. That’s not a massive volumetric attack, but it would be enough to disable a website. It’s more alarming when an attack impacts a bank or a government agency, because both types of organizations possess millions of sensitive data records.

The Dutch national tax office said its website went offline briefly, for 5-10 minutes. Regardless of how long they were under DDoS attack, those afflicted Dutch organizations should also be concerned about a security breach, because while a network is compromised hackers can infect it with malware that may “sleep” for weeks or months, only to be resurrected remotely by the hackers. Even a short-duration DDoS attack is sufficient to install malware. That’s partly what makes DDoS attacks so pernicious; alone they do not constitute a security breach, but they are often done as a precursor to a breach. With the new EU GDPR regulations going into effect at the end of May, those Dutch organizations had better take a close look at their IT security systems.

Some Dutch pundits (apparently off the record) surmise that Russian hackers launched the attacks as an act of political revenge for news reports that exposed the work of Russian state-sponsored hackers. According to BleepingComputer.com,“Last week, Dutch newspaper Volkskrant and TV station NOS published a report claiming that the country's AIVD intelligence service compromised the computer of a hacker part of Russian-based cyber-espionage group Cozy Bear (also known as APT29).The report claim AIVD agents spied on the cyber-espionage unit since 2014 and observed how Russian intelligence services hacked into DNC servers during the 2016 US Presidential election.”

These daysit’s possible that anyone—not just some Russian hackers—could have launched the DDoS attacks because there is an abundance of botnet code out on the Dark Web. The hackers could be state-sponsored, or not. The Dutch authorities will probably never know for certain the source of the DDoS attacks, since such attacks are notoriously difficult to trace.

This incident is just one of many that point to the need to implement a DDoS defense solution at the network edge. Corero has been a leader in DDoS protection solutions for over a decade. To learn how we can help protect your part of the Internet ecosystem, contact us.

The world is four days away from the opening ceremonies for the 2018 Winter Olympics held in Pyeongchang, South Korea. The Olympics are an athletic spectacle fraught with political undertones and have occasionally been targeted by terrorists and activists. As cyber threats have evolved and increased, so too has the probability of such attacks on the Games. Wired.com reports, “More so than any previous Olympics, the run-up to Pyeongchang has been plagued by apparent state-sponsored hackers.”

The Games have not even begun, but according to McAfee Advanced Threat Research as of early January hackers had launched an email phishing campaign with an infected MS Word document that contained malware. Another attack campaign, which MacAfee has dubbed Operation GoldDragon, attempted to plant three distinct spyware tools on target machines that would enable hackers to scour the compromised computers' contents.

The hackers could be lone actor mercenaries acting at the behest of nation-states, or they may be government staff. McAfee suspects the attacks originated from Russia and North Korea. The latter is a prime suspect, given its saber-rattling in the past year, its acrimonious relationship with its neighbor, and its suspected ties to the WannaCry Ransomware attack in the spring of 2017 and the attack on Sony Pictures in November of 2014.

Anyone who hacks the Games is most likely trying to do the following:

Create chaos and make operations more difficult for the Games and citizens in general

Conduct revenge against US and other countries for economic sanctions

Steal sensitive intellectual property or sensitive consumer data.

Thus far, no one has speculated about the probability of a distributed denial of service (DDoS) attack on the Games, but it certainly is possible. A DDoS attack could be a nuisance that impacts the service availability of one or more websites, or it could be a stealth attack that masks a more dangerous malware threat, or it a massive attack on critical infrastructure that could cripple daily operations in the region or in the Olympic village. Let’s hope that South Korean authorities and the Olympic Games organization has effective DDoS protection to prevent such attacks.

Earlier this month, a report by Neustar International Security Council (NISC) revealed that many businesses viewed unsecured IoT devices as their biggest concern about the state of their organisation’s security. While ransomware and financial data theft were still viewed as among the top threats, the prospect of wireless devices being hacked and used as weapons to compromise companies’ systems ranked as a greater concern. The report is hardly surprising, given the recent developments in IoT botnets and the huge potential for unsecured IoT devices to be turned into a botnet army and used to launch DDoS attacks by hackers.

Last year the massive Distributed Denial of Service (DDoS) attack that brought down the Dyn Domain Name System (DNS) service served as a serious wake-up call for security teams about the dangers of DDoS attacks using the IoT. This year, one of the most recent developments relating to these attacks is the vulnerability found in Huawei HG532 routers that is being exploited to spread a variant of the Mirai malware called Mirai Okiru. The new Mirai botnet is targeting ARC-based IoT devices, which can be found in millions of consumer, mobile and IoT devices. With an anticipated 20.4 billion devices due to be deployed by 2020, it’s safe to say that the scale of a potential DDoS attack utilising this vulnerability could have devastating consequences. Therefore, it is important for organizations to ensure all devices are well-protected and security is baked in from the start. In addition, the danger behind Mirai Okiru is even more complex, given that the code to exploit this vulnerability became freely available shortly after the bug was discovered, and as a result, threat actors can implement it in future attacks to carry out their own DDoS attacks.

IoT devices still suffer from basic security vulnerabilities and it is precisely this lack of security that makes them so attractive to hackers. But it’s not just a password problem anymore. Attackers understand that manufacturers and users are waking up to the problem of passwords on IoT devices, and so are seeking more complex ways to access them. As this trend continues, and hackers become increasingly inventive when searching for new devices and ways to enlist them, there is really no limit to the size and scale of future DDoS attacks driven by IoT botnets.

After all, any device that has an Internet connection and a processor can be exploited. In an ideal world, all devices should be forced to go through some sort of network configuration before being used, rather than being exploitable from a default position.

Digital Enterprises can protect their networks from DDoS attacks fuelled by IoT-driven botnets by deploying real-time, automated solution at the network edge, which can instantaneously detect and mitigate DDoS activity and eliminate threats from entering a network. As with all DDoS threats, clear visibility is a crucial step in detecting and defending against attacks.